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Author's Abstract 

The notion of fairness in trace-based formalisms is examined. It is argued that, in 
general, fairness means machine closure. The notion of hyperfairness introduced 
by Attie, Francez, and Grumberg is generalized to arbitrary action systems. Also 
examined are the fairness criteria proposed by Apt, Francez, and Katz. 
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1 Introduction 



Fairness in concurrent systems has been discussed for decades. There is even a 
book on the subject [8]. The best-known attempt to characterize fairness was prob- 
ably Apt, Francez, and Katz's definition of three criteria for fairness notions [5]. 
We have learned much about trace-based formalisms since then, and I believe the 
definition of fairness is now fairly obvious. While any precise formalization of 
a vague concept is open to dispute, there does seem to be only one language- 
independent definition that distinguishes fairness from liveness. That definition 
appears to have been mentioned only by Abadi and Lamport [2, page 89] and 
Schneider [15, pages 254-257]. My purpose here is to re-examine the question of 
fairness in light of what has been learned in the last ten years. 

Fairness for properties in an arbitrary trace-based formalism is defined in Sec- 
tion 2. Fairness usually appears in the guise of fairness conditions on actions in 
action systems. Section 3 reviews action systems — a simple abstraction that cov- 
ers programs and many kinds of specifications — and recalls the definition of weak 
and strong fairness for actions. Section 4 generalizes weak and strong fairness and 
defines hyperfairness, a very strong form of fairness for actions. Hyperfairness 
generalizes the concept of the same name introduced by Attie, Francez, and Grum- 
berg [6]. Section 5 extends the criteria of Apt, Francez, and Katz to arbitrary action 
systems and discusses these criteria. A concluding section muses upon what it all 
means. 

Much of the material presented here is a review of well-known concepts; its 
presentation is quite terse. More loquacious expositions can be found in the cited 
literature. Proofs of the new results are not hard and are left mostly to the reader. 

2 Fairness and Machine Closure 

I assume a trace-based semantics in which a behavior is a sequence 1 of states and 
a property is a predicate on behaviors. Everything translates easily to a formalism 
(such as I/O automata) in which a behavior has action names attached to each 
state transition. 2 In the informal discussion, I identify a property with the set of 
behaviors satisfying it, so R =>■ T and R C T are two ways of asserting that if a 
behavior satisfies property R, then it satisfies property T. 

The meaning of a system specification 3 is a property — namely, the set of behav- 

' Infinite sequences must be allowed; it doesn't matter if finite sequences are. 

2 An easy way to make the translation is to introduce a state variable whose value is the name of 
the transition just completed. 

3 I take the term specification to include any kind of precise description of a reactive system. For 
example, a program is a specification of what it means for the program to be executed correctly on a 
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iors representing a correct system execution. Any statement about specifications 
that is independent of the particular language in which the specification is written 
must be a statement about properties. 

A safety property is one that is satisfied by an infinite behavior iff it is satisfied 
by each finite prefix of the behavior [4]. 4 With the standard topology on sequences, 
safety properties are closed sets. Let C(R) be the closure of property R in this 
topology, so C{R) is the strongest safety property implied by R. 

A property L is a liveness property iff any finite behavior can be extended to an 
infinite behavior that satisfies L. In the standard topology on sequences, liveness 
properties are dense sets. A theorem of topology implies that every property can 
be written as the conjunction of a safety property and a liveness property [4]. 

A pair ( S, L) of properties is machine closed [1] iff S is equivalent to C(SaL). 
This means that (S, L) is machine closed iff every finite sequence satisfying S can 
be extended to an infinite sequence satisfying S A L. 

Most methods for writing specifications, including CCS, Unity, and I/O au- 
tomata, use some form of automaton to specify a safety property. The automaton 
asserts the property S consisting of all state sequences that the automaton can gen- 
erate. In some of these methods, one also specifies a liveness property L — either 
implicitly through the semantics of the automaton (as in Unity), or by writing L ex- 
plicitly (as in I/O automata). I will call the specification machine closed iff {S, L) 
is machine closed. 

Machine closure of an automaton-based specification means that, as long as 
the automaton behaves correctly (keeps its safety property S satisfied), it can never 
reach a state in which it is impossible to satisfy SaL. In other words, the automaton 
can never "paint itself into a corner." A specification that purports to describe an 
implementation should be machine closed. However, one sometimes writes high- 
level specifications that are not machine closed. (An example is the specification 
of a serializable database in [10].) 

In a number of methods, liveness is specified with so-called fairness conditions 
on the automaton. The common feature of all these conditions is that they pro- 
duce machine-closed specifications. The only sensible definition of fairness that is 
independent of any specification language seems to be: 

Definition 1 A liveness property L is a fairness property for property S iff {S, L) 
is machine closed. 



computer. 

4 In a formalism where behaviors are infinite sequences, a finite sequence satisfies a property R 
iff it is the prefix of some infinite sequence that satisfies R. 
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3 Fairness for Action Systems 



An action system consists of an initial state predicate Init and a set of predicates 
Ai on pairs of states. The Ai are called system actions. An action system expresses 
the safety property consisting of every behavior (s$, s\, . . .) whose initial state so 
satisfies Init and whose every pair {s n , s n +i) of successive states satisfies some 
system action. 

I will describe action systems in terms of TLA (The Temporal Logic of Ac- 
tions) [12]; it should be easy to translate the definitions and results into any other 
suitably expressive formalism. TLA assumes an underlying logic for writing state 
predicates and actions. An action A (which is a predicate on pairs of states) is 
defined to be a predicate on behaviors by letting {so, s\, . . .) satisfy A iff its initial 
step (so, $\ ) satisfies A. TLA includes the usual □ (forever) operator of linear-time 
temporal logic [13]. 

The safety property of an action system with initial predicate Init and system 
actions Ai is written in TLA as Init A D[3 i : A{\ v , where v is the tuple of all 
relevant variables. For example, consider the action system with initial condition 
x = y = 0 and the two actions A\, which increments x by 1, and Ai, which 
increments y by 1. These actions are defined formally by: 

A 1 = (x' = x + 1) A (y' = y) A 2 = (y' = y + 1) A (x' = x) (1) 

The safety property specified by this action system is: 

( X = y = 0) A D[A! VA 2 ] {x<y ) 

The subscript v (which equals ( x, y ) in the example) permits "stuttering" steps 
that do not change any relevant variables. Stuttering steps are crucial for refine- 
ment, but they are irrelevant when considering only a single specification. I will 
therefore omit all subscripts. The reader familiar with TLA should be able to figure 
out how to re-introduce them. 

For the rest of this section and for Section 4, let us assume a fixed action system 
with initial predicate Init and system actions Ai, and let us define N and S by 

N = 3i : Ai S = Init /\U[N] (2) 

Formula S is the system's safety property, and action N is called its next-state 
relation. 

5 The term "action system" was introduced in 1983 by Back and Kurki-Suonio [7], but the concept 
is much older. 
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An action A is enabled in a state s iff there exists a state t such that {s, t) 
satisfies A. The operators WF and SF are defined by 

WP(A) = <>Q(Enabled A) =>• OOA 
SF(A) = ^(Enabled A) =>■ BOA 

where Enabled A is the predicate asserting that A is enabled. Formula WF(^4), 
called weak fairness on A, asserts that if A eventually becomes enabled forever, 
then infinitely many A steps must occur. Formula SF(^4), called strong fairness on 
A, asserts that if A is infinitely often enabled — even though it may also be infinitely 
often disabled — then infinitely many A steps must occur. Since eventually forever 
implies infinitely often, SF(.4) implies WF(^4) for any action A, so strong fairness 
is stronger than weak fairness. 

Most fairness conditions for action systems can be expressed as weak or strong 
fairness on actions. For example, the requirement 

If any of the actions A\, . . . , A^ is ever enabled infinitely often, then 
one of those actions must eventually be executed. 

is just SF(^4i v ... v Ak). The following proposition, proved by Abadi and Lam- 
port [3], shows that if A implies the next-state relation N, then weak and strong 
fairness on A are indeed fairness properties. 

Proposition 1 If S is defined by (2) and L is a finite or countably infinite conjunc- 
tion of formulas of the form WF(^4) and/or SF(A), where each A implies N, then 
(S, L) is machine closed. 

4 Generalizing Weak and Strong Fairness 

Operators GWF and GSF that generalize weak and strong fairness can be defined 
by replacing Enabled A with an arbitrary predicate P in the definitions of WF 
andSF: 

GWF(P, A) = OOP no A 
GSF(P, A) = OOP DO A 

(The concept of generalized fairness seems to have been defined first by Francez 
and Kozen [9].) Although these operators are not used in ordinary TLA specifica- 
tions, they occur implicitly in TLA reasoning. When proving that a specification 
T\ implies another specification T%, we must substitute state functions for bound 
(hidden) variables of Ti- Let F denote the result of performing such a substitution 
on a formula F. Proving Ti =>■ T2 requires proving that the fairness conditions of 
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T\ imply the barred fairness conditions of T2, which may include formulas like 
WF(P). This formula equals GWF(Enabled B, B); it need not equal WF(S) 
because Enabled B does not necessarily equal Enabled B [12]. The same situ- 
ation arises with SF formulas. Hence, we must prove that the WF and SF properties 
of T\ imply the GWF and GSF properties of T2. The standard TLA rules for rea- 
soning about WF and SF contain the appropriate barred formulas [12, Figure 5]. 
Those rules have straightforward generalizations in which all formulas of the form 
WF(C) and SF(C) are replaced by formulas GWF(P, C) and GSF(P, C), for 
arbitrary predicates P. 

The properties GWF(P, A) and GSF(P, A) are not always fairness properties, 
even when A implies the next-state relation TV. For example, GWF (TRUE, A) and 
GSF(TRUE, A) equal DOA This property, called "unconditional fairness" on A, 
is not, in general, a fairness property. For example, (S, DOfalse) is machine 
closed iff S equals FALSE. 

I now give some necessary and sufficent conditions for GWF and GSF formulas 
to yield fairness properties. These conditions are not pretty, and expressing them 
requires some additional notation. Let "•" be action composition, defined by letting 
{s, t) satisfy A ■ B iff there exists a state u such that (s,u) satisfies A and (u, t) 
satisfies B. Define A* ■ B by 

A* -B = B v (A ■ B) v {A ■ A ■ B) v {A ■ A ■ A ■ B) v . . . 
We now define three operators: 6 

h(N, A) = Enabled (TV* ■ (TV a A)) 

gw(P, N, A) = P (h(N, A) v Enabled (TV* • -P)) 

gs(P, N, A) = P (h(N, A) v Enabled (TV* • -Enabled (TV* • P))) 

Since P implies Enabled (TV* • P), the monotonicity of Enabled implies 
gs(P, N, A) gw(P,N,A). 

The following proposition provides a necessary and sufficient condition for a 
GWF or GSF formula to be a fairness property. 

Proposition 2 If S is defined by (2) and L equals either GWF(P, A) or 
GSF(P, A), for state predicate P and action A, then (S, L) is machine closed 
iffS implies Ugw{P, TV, A). 1 

6 The "P =>" in the definition of gw is redundant and is included for symmetry. All these opera- 
tors can be expressed in terms of the weakest invariant operator win [11], since ENABLED (N* ■ B) 
is equivalent to -*win(N , -"ENABLED B), for any action B. A state predicate Q is considered to be 
an action by letting (s, t) satisfy Q iff s does. 

7 For a state predicate Q, the formula S OQ asserts that Q holds for every state of every 
behavior satisfying S. 
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While not difficult, the proof of this proposition may help explain the rather obscure 
definitions of h and gw, so we sketch it here. 

1. If (S, GSF(P, A)) is machine closed, then so is (S, GWF(P, A)). 

PROOF: By the general result that (S, F) machine closed and F =>■ G imply 
(S, G) machine closed. 

2. If (S, GWF(P, A)} is machine closed, then S =>• Ugw(P, N , A). 

PROOF: Assume S does not imply Dgw(P, N, A). Then there exists a finite be- 
havior x satisfying S whose last state x j satisfies -*h(N, A) A -■Enabled (N* ■ 
->P). Since r/ satisfies ->h(N, A), the definition of h this implies that ev- 
ery extension of x satisfying ON has no more A steps. Since xj satisfies 
-■Enabled (N* ■ ->P), predicate P is forever false in every extension of x 
satisfying UN. Hence every extension of x satisfying S satisfies ->GWF(P, A), 
contradicting the machine-closure assumption. 

3. If S =» Dg W (P, N, A), then (S, GSF(P, A)) is machine closed. 

Let x be a finite behavior satisfying S, with last state xj. The assumption means 
that xj satisfies either (i) ->P v Enabled (N* ■ ->P) or (ii) Enabled (TV* • 
(N A A)). In case (i), we can extend x to a behavior satisfying S A GSF(P, A) 
by taking a finite (possibly null) sequence of N steps, and then stutering forever. 
In case (ii), we can extend x with a finite sequence of N steps followed by an 
N A A step, and then repeat the construction, obtaining an infinite extension 
satisfying S A GSF(P, A). 

A specification usually requires the conjunction of fairness conditions for a set of 
actions, not just fairness for a single action. There seems to be no simple, weak- 
est requirement for an arbitrary conjunction of GWF and GSF formulas to be a 
fairness property. However, the following is a rather powerful generalization of 
Proposition 1 . Its proof is based on essentially the same construction used in step 3 
in the proof above, except that x must be repeatedly extended to satisfy the fair- 
ness properties for the different actions. This means that the stuttering construction 
can't be used, so we need the stronger gs formula for GSF properties. The detailed 
proof is similar to that of Proposition 1 and is omitted. 

Proposition 3 If S is defined by (2) and L is a finite or countably infinite conjunc- 
tion of formulas, each of which is either ( i) of the form GWF(P, A) where S implies 
Ugw(P, N, A) or (ii) of the form GSF(P, A) where S implies a gs (P, N, A), then 
(S, L) is machine closed. 

It would seem appropriate to reserve the term hyperfairness for the strongest gen- 
eral fairness condition on an action that is a fairness property. This would mean 
finding, for an action A, the weakest predicate P for which GSF(P, A) is a fairness 
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property. However, such a P does not, in general, exist. For example, define 




(x = 0) A D(x' = x+ 1) 
x' = -7 



Q(«) — x < i 

Q = lie Nat : Q(i) 



Any finite behavior satisfying S can be extended to one satisfying S A On->Q(i), 
hence satisfying S A GSF (Q(i), A), for any number i. Thus, GSF(<5(«), A) is a 
fairness property. Suppose there were a weakest P such that GSF(P, A) is a fair- 
ness property. Then each Q(i) must imply P, so Q implies P. Hence, GSF(P, A) 
implies GSF(<5, A), so GSF(<5, A) must be a fairness property. (See step 1 in the 
proof of Proposition 2.) But, S implies DQ A B->A, which implies ->GSF((3, A), 
so GSF(<5, A) is not a fairness property. Hence, there can be no weakest P for 
which GSF(P, A) is a fairness property. 

While there is no strongest fairness property GSF(P, A) for an arbitrary A, 
Proposition 2 and the definition of gw suggest taking P to be h(N, A). We there- 
fore define the hyperfairness operator HF by 



While not in general the strongest possible fairness property for action A, it is 
still quite strong. It asserts that infinitely many A steps must occur if, infinitely 
often, a state is reached in which some possible sequence of N steps could enable 
A. Proposition 3 implies that the conjunction of any finite or countably infinite 
collection of hyperfairness properties is a fairness property. 

The definitions of S and h(N, A) imply that for any behavior (so, *i, • • •) 
satisfying S and for any n, if s n satisfies h(N, A), then s m satisfies h(N, A) for 
every m < n. This implies: 

Proposition 4 If S is defined by (2), then S implies that UOh(N, A) is equivalent 
to Dh(N, A), for any action A. 

This proposition shows that S implies the equivalence of GSF(h(N, A), A) and 
GWF(h(N, A), A), so it doesn't matter whether we use GSF or GWF in the defi- 
nition of HF. 

Attie, Francez, and Grumberg defined a tiny toy programming language called 
IP, based on multi-party CSP-style synchronization, and they defined hyperfair- 
ness for IP programs as follows [6] : 

Definition (Hyperfairness). If P is an IP program in which every top- 
level interaction is conspiracy-resistant, then an infinite computation n 
is hyperfair iff .... If P is an IP program in which not every top-level 
interaction is conspiracy-resistant, then every computation n of P is 
hyperfair. 



HF(iV, A) = GSF(h(N,A),A) 
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The ". . . " is a condition that, in the context of the definition, is equivalent to the 
conjunction of hyperfairness properties for certain actions. It is in this sense that 
HF generalizes their definition of hyperfairness. 

5 The Criteria of Apt, Francez, and Katz 

Apt, Francez, and Katz (henceforth called AFK) gave three "appropriateness" cri- 
teria for fairness notions in a programming language: feasibility, equivalence ro- 
bustness, and liveness enhancement [5]. Although their abstract promised to con- 
sider "relations among various languages and models for distributed computation", 
they discussed mainly programs written in CSP-like languages with multi-party 
interactions. I now generalize their criteria to arbitrary action systems, remaining 
as faithful as possible to AFK's intentions and notation. Afterwards, I discuss the 
criteria and show that they are satisfied by a large class of hyperfairness properties. 

5.1 The Criteria Redefined 

For any action system P, let Np and Sp be the action N and property S defined 
by (2), and let comp(P) be the property Sp A WF(TVp). Assume some class A of 
action systems. A fairness notion F is a mapping that assigns a property F(P) to 
every system P in A. 

AFK defined the fairness notion F to he feasible iff ( Sp, WF(iVp) A F(P) ) is 
machine closed, for every P in A. 

AFK defined their second criterion, equivalence robustness, only when all 
system actions are deterministic and mutually disjoint. In that case, a behavior 
{so, si, . . .) in Sp is uniquely determined by the initial state so and the sequence 
( Ak(0), Ak(i), . . .) of system actions such that {s n , s n+ i } satisfies Ak( n ), for each 
n. We can therefore consider a behavior to consist of an initial state and a sequence 
of system actions. For behaviors tt and p, AFK defined 

tt = p iff tt can be obtained from p by (possibly infinitely many) 
simultaneous transpositions of two independent [system] actions. 

where system actions Ai and Aj are independent iff they commute — that is, iff 
Ai ■ Aj is equivalent to Aj ■ A^. We can then define a property R to be equivalence 
robust for the system P iff, for any pair of behaviors {tt, p) such that tt = p, 
behavior tt satisfies R iff behavior p does. AFK defined F to be equivalence robust 
iff F(P) is equivalence robust for P, for all P in A. 

To extend this definition to arbitrary action systems, we need to generalize 
AFK's definition of =. Without the assumption that system actions are pairwise 
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disjoint and deterministic, it is not obvious what is meant by the simultaneous 
transpositions of infinitely many actions. I will define it O p to mean that it differs 
from p by the transposition of two adjacent actions, define it — >• p to mean that 
p is obtained from it by a convergent sequence of such transpositions, and define 
it = p to mean it — ► p and p — > n . 

Let a i denote state i of a behavior a, so a equals (cto, o\, . . .). Define it t> p 
to mean that there exists a natural number n such that, (i) it m — p m for all m ^ 
n + 1, and (ii) for any system actions A and 5, if (p n , p n +\) satisfies A and 
(Pn+i, Pn+2} satisfies B, then {it n ,it n+ i} satisfies B and (jt n+ i, it n +i) satisfies 
A. This definition is illustrated pictorially below. 8 



Xn-l = Pn-l 




= Pn+2 



Let > mean > or —. Define it ->• p to be true iff there exists an infinite sequence 
er (0) , ct (1) , . . . of behaviors such that (i) cr (0) — it, (ii) cr (k) > cr (fc+1) for all and 
(iii) for every n there exists an m such that — p n for all A; > m. Finally, let 
it = p equal (it p) v (p 7t) 

Having defined = for an arbitrary action system, we can define equivalence 
robustness as before: property R is equivalence robust for P iff it = p implies that 
it satisfies R iff p does; and F is equivalence robust iff F(P) is equivalence robust 
for P, for all P in A. 

AFK's third criterion, liveness enhancement, essentially asserts that there is 
some P in A such that comp(P) A F(P) is not equivalent to comp(P). 9 

5.2 The Criteria Re-examined 

Feasibility of F is almost the same as requiring that F(P) be a fairness property 
for Sp, for all P in A The two requirements are not the same because AFK 
made WF(iVp) an intrinsic assumption about an action system rather than just a 
particularly weak fairness property. This accords with the common practice of 
calling "unfair" an execution of a multi-process program that satisfies only this 
fairness property. While it is fruitless to argue with a definition, I believe that the 

8 This condition implies that A and B commute for the pair {p n , p n+ 2) of states. We could further 
require that A and B simply commute — that is, commute for all pairs of states. It makes no difference 
to the ensuing discussion whether or not we change the definition of t>, and hence of =, in this way. 

9 AFK actually stated liveness enhancement in terms of terminating programs. As they observed, 
their definition is equivalent to this one for the particular class of programs they were considering. 
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fundamental nature of safety and machine closure suggests that it is unproductive 
to distinguish WF(iVp) from other fairness properties. Indeed, defining fairness to 
mean machine closure makes even TRUE a fairness property. Ad hoc restrictions to 
rule out such "trivial" fairness properties seem pointless. 

Equivalence robustness of F requires that F(P) be equivalence robust for P, 
for every P in A. Unlike fairness, equivalence robustness depends on the actual 
action system P, not just on its safety property Sp. To show this dependence, I 
now construct two action systems Pi and P2 with equivalent safety properties (so 
the systems are semantically equivalent) and a property L that is equivalence robust 
for one and not the other. 

Let Pi be the action system considered in Section 3 that has initial predicate 
x = y — 0 and actions A\ and A2 defined by (1); let A2> be the action (x > 
y) A A2', and let L be the property DO^^ Let tt be the behavior obtained by 
alternately performing A\ and A2 actions, starting with an Ai action; and let p be 
the same as it, except starting with an A2 action. Since n can be obtained from 
p by interchanging each Ai action with the following A2 action, we have p = n. 
Since x > y holds in n at the beginning of each A2 step and never holds in p, 
behavior jt satisfies L and behavior p does not. Hence, L is not equivalence robust 
for Pi. 

Let P2 be the system with the same initial predicate x — y — 0 and the four 
actions Ai<, A\>, A2<, and A2>, where the three new actions are defined by: 

M< = (x < y) A A[ A x> = (x > y) A A\ A 2 < = (x < y) A A 2 

Property L, which asserts that infinitely many A2> actions occur, is obviously 
equivalence robust for P2. 

Since Nj> is equivalent to iVp 2 , the systems Pi and P2 have the same safety 
property. Thus, we have two semantically equivalent action systems and a property 
that is equivalence robust for one but not the other. 

Under extremely weak hypotheses, we can show that for any action system 
P, there exists a semantically equivalent action system such that every property is 
equivalence robust for P. We simply define P to have a separate system action for 
every pair of states that satisfies Np. 

Since equivalence robustness is not a semantic property of a system, but de- 
pends on how the system is represented, it is unlikely to be a useful concept — 
except perhaps for action systems expressed in a language that severely restricts 
how they can be represented. 

Liveness enhancement of F, AFK's final criterion, asserts that there exists some 
P in A for which F(P) is stronger than WF(iVp). It rules out the fairness notion 
that assigns WF(iVp) to every system P, reflecting AFK's decision not to consider 
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WF(iVp) to be a fairness property. They may also have been trying to rule out 
trivial ways of defining a fairness notion that satisfies all three criteria. However, 
Attie, Francez, and Grumberg's definition of hyperfairness shows that there is a 
simple way to define F to satisfy all the criteria: (i) find a subclass of action systems 
for which there exists some equivalence-robust fairness property, and (ii) define 
F(P) to be that property if P is in the subclass, and to equal TRUE otherwise. For 
example, take the subclass consisting of those P for which Sp implies that every 
system action is always enabled, and define F(P) to equal V i : DO Ai for all P in 
this subclass. 

5.3 Hyperfairness and the AFK Conditions 

Attie, Francez, and Grumberg proved that their definition of hyperfairness satisfies 
the three AFK conditions. Let's see if this is true of my definition of hyperfairness. 

Feasibility follows directly from Proposition 3. To satisfy liveness enhance- 
ment, we would have to define a class of action systems and some particular con- 
junction of hyperfairness formulas for each action system in that class. This is a 
simple and pointless exercise that can be omitted. 

We are left with equivalence robustness. The conjunction of properties is equiv- 
alence robust if each conjunct is, so we need consider only individual hyperfairness 
formulas. For an arbitrary action A, the hyperfairness formula h(Np, A) need not 
be equivalence robust for action system P. For example, H(Np r ^b>) is not 
equivalence robust for Pi, where Pi and Ai> are the system and action defined 
above. However, we can prove the following result: 

Proposition 5 IfPis an action system and A is the disjunction of system actions 
ofP, then HF(iVp, A) is equivalence robust for P. 

To prove the proposition, we assume jt — >• p and jt satisfies HF(iVp, A), and we 
prove p satisfies HF(iVp, A). We do this by proving (i) if 7t satisfies OOh(Np, A) 
then so does p and (ii) if p satisfies DO A then so does jr. Result (i) follows easily 
from Proposition 4; (ii) follows from the observation that, for any system action 
Ai and behaviors a and r with a > x, if infinitely many x steps satisfy Ai, then 
infinitely many a steps also satisfy Ai. The details are left as an exercise for any 
reader who cares about equivalence robustness. 

6 Conclusion 

Fairness conditions are a way of expressing liveness properties, and liveness prop- 
erties are inherently problematic. The question of whether a real system satisfies 
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a liveness property is meaningless; it can be answered only by observing the sys- 
tem for an infinite length of time, and real systems don't run forever. Liveness is 
always an approximation to the property we really care about. We want a program 
to terminate within 100 years, but proving that it does would require the addition 
of distracting timing assumptions. So, we prove the weaker condition that the pro- 
gram eventually terminates. This doesn't prove that the program will terminate 
within our lifetimes, but it does demonstrate the absence of infinite loops. 

In practice, almost all reactive systems can be specified using action systems 
together with simple weak and strong fairness properties. 10 Most specifications are 
machine closed. A machine-closed specification can always be written as an action 
system together with fairness properties only on disjunctions of system actions. 
However, in some cases, this requires a complicated representation of each system 
operation as the disjunction of infinitely many actions. For those cases, as well 
as for writing non-machine-closed specifications, we can use formulas of the form 
WF(^4) or SF(^4) when A is not simply the disjunction of system actions. The more 
general properties expressible with the GWF and GSF operators are rarely needed. 
A hyperfairness formula HF(iV, A) is a particularly obscure example of such a 
property, since h(N, A) will be impossible to compute in any practical situation, 
if hyperfairness differs from strong fairness. It therefore seems safe to predict that 
hyperfairness will be of at most theoretical interest. 
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